XMPP Service Operators - 2021-01-16

Thank you, will give that a go

Hello

Does anyone here manage the jabberSPAM rbl list?

which one?

I am only aware of https://github.com/JabberSPAM/blacklist

tom Ge0rG does, why?

I am trying to report a spammer to the operator of noname.rs

But they do not report any abuse contacts via xeo-0157 nor does their WHOIS info contain any useful information

» Domain name: noname.rs » Domain status: Active » Registration date: 26.03.2019 07:30:39 » Modification date: 28.03.2020 07:14:02 » Expiration date: 26.03.2021 07:30:39 » Registrar: NINET Company d.o.o. » » » DNS: vera.ns.cloudflare.com - » DNS: art.ns.cloudflare.com - » » » » Registrant: Individual » » Administrative contact: Individual » » Technical contact: Individual »

As I know Martin is the right person

Oh, do they run noname?

Me? Why?

dig SRV _xmpp-server._tcp.noname.rs :( ; <<>> DiG 9.16.8-Debian <<>> SRV _xmpp-server._tcp.noname.rs ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11946 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;_xmpp-server._tcp.noname.rs. IN SRV ;; ANSWER SECTION: _xmpp-server._tcp.noname.rs. 120 IN SRV 0 0 5269 xmpp.noname.rs. ;; Query time: 243 msec ;; SERVER: 192.168.178.55#53(192.168.178.55) ;; WHEN: Sa Jan 16 20:37:44 CET 2021 ;; MSG SIZE rcvd: 90

host xmpp.noname.rs

xmpp.noname.rs has address 51.75.149.200

whois -b 51.75.149.200 % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf inetnum: 51.75.149.192 - 51.75.149.207 abuse-mailbox: secretslineserver@gmail.com % This query was served by the RIPE Database Query Service version 1.99 (WAGYU)

tom: ^

Oh

Thanks

Hello everyone. I hope your weekend is a happy one. Saludos!

How do you all handle abuse reports about harassment originating from your servers?

mod_firewall, drop messages matching from+to?

I see

After having to deal with it originating from other servers, I am just thinking about what I will do when it happens from my server

I really don't want to or give myself the ability to look at other people's stazas in order to confirm harassment issues

I feel that would be a privacy issue

there's spam notification

Bouncing from+to may be the best option, and terminating if there's just too much

people can report spam or abusments maybe

I worry if it becomes a prevalent enough issue the firewall rules would end up very large

Arne: yes I know that but I'm thinking about how to best handle incoming abuse reports when they come to me

In a way that respects the privacy of the users and isn't censorship or gets an innocent user banned just because a large group of people all get together and lie about a person

False allegations

I wonder if there is an auto block mod for prosody

but I'm often thinking about how to handle this to

Hello

There are two things I do to stop spam originating from e2e.ee: 1) record the IP address when someone logs in, and if it repeats again and again and again, block IP with fail2ban. This prevents scripters from logging in, sending, logging out, logging in, sending, over and over again. 2) mod_throttle_unsolicited (Prosody) - modified to log the IP address in the prosody.log, and then block it with fail2ban. This allows someone to send about 10 messages to people not in the user's contacts, then on the 11th, blocked. Extremely effective method. The spammers basically have to go elsewhere to send spam.

1) might block people with bad mobile connection.

2) is also prone to false positives

tom: > In a way that respects the privacy of the users You can't read content of chat, therefor it isn't a privicy validation. Telekom also knows who and how long do you call someone. > and isn't censorship Whithout knowing content ? You are not responsible for crypted content. If somebody was "hurt" he will call the police and the judgement will contact you to offer the data from the "hurter" but you are only able to give him IP and nick. > or gets an innocent user banned just because a large group of people all get together and lie about a person > False allegations Thats a problem, but without knowing content no chance to check

I have tested it thoroughly.... and I get a text message if anyone is blocked.... so I know how often it is triggered (once a month or so).

Yeah, works like a charm!

The spammers try it once and just leave.

It is very easy to identify who it is, and what their messages are - and it is all spam.

If anyone is interested, the code is here:

https://gitlab.com/-/snippets/2062078

regarding method #1 - I have adjusted it to be extremely permissive before it blocks an IP address.

It has blocked my wife's mobile phone - one time, so I just adjusted it to be more permissive.

Whenever someone is blocked by my system, I get a text message immediately, so I can keep an eye on it, and adjust it accordingly. That is what being a sysadmin is all about.

» 2) mod_throttle_unsolicited (Prosody) - modified to log the IP address in the prosody.log, and then block it with fail2ban. This allows someone to send about 10 messages to people not in the user's contacts, then on the 11th, blocked. Extremely effective method. The spammers basically have to go elsewhere to send spam. What if someone imports their contact list from another account?

If you jump on and start sending messages to someone not on your list, you won't be blocked unless you send many many messages in rapid succession.

I mean, you have to send like 20 messages in a minute, which is not typical of someone legitimately communicating.

Hey, the server is paid for with my money. If you want to use it, you can play by my rules, or go elsewhere.

creep.im: why are you listed in jabberspam blocklist? You have abuse contacts and your clearly a legit server

I have legitimate users coming in from your server too

I'm hesitant to adopt the jabberspam blocklist automatically because of this

e2e.ee: thanks for the very good advice

You are welcome. And... if you want to get messages from your server, about anything... like spammers being blocked, etc.... try my new service: monitor.chat (shameless plug)

it is free!

Funny thing about fail2ban - before I created my XMPP service, I never even heard of it.... really! And Fail2ban is so amazing!

Yeah

Fail2ban is pretty good. I've used to to stop ddos attacks in conjuction with modsecurity (nginx module not prosody)

🙂👍

tom: creep im uses mod block strangers and captcha is not always that easy to contact the admin (ironic) also they didn't respond to email for a while Now it's a nice feature..."don't make accounts on our server, as we are on the blocklist" ✏

I see

I wonder if that's the case for any other servers on the jabberspam blocklist

Any case, it gives me an excuse to setup a proper spam handling firewall chain rather than just a simple block on the main chain

In order to handle blocklist exceptions

Like if i want to whitelist a server from an RBL check, but not whitelist them from rate-limiting or restricted areas

tom: > I wonder if that's the case for any other servers on the jabberspam blocklist imho creep im has been responsive to spammers block, albeit they know it's a pain to do this account by account Didn't hear anything about the others

They could go for a blacklist removal once they set up 0157 *and* react to abuse reports. Afaik creep.im didn't try to get removed.

Ok

> A server operator can ask for removal from the blacklist by opening an issue or PR on this repository. The following conditions must be met to de-list a server: > The server must deploy XEP-0157: Contact Addresses for XMPP Services. > The operator must react to incoming abuse reports in a timely fashion. > The total amount of spam from that server must be insignificant for a watch period of 14 days.

https://github.com/JabberSPAM/blacklist/pull/20 Here you see a timeline what happened before I made PR for creep.im

I did not see that

Github has a very difficult user interface that does not always work properly